| 1 | ;;; GNU Guix --- Functional package management for GNU |
| 2 | ;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org> |
| 3 | ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net> |
| 4 | ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> |
| 5 | ;;; |
| 6 | ;;; This file is part of GNU Guix. |
| 7 | ;;; |
| 8 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
| 9 | ;;; under the terms of the GNU General Public License as published by |
| 10 | ;;; the Free Software Foundation; either version 3 of the License, or (at |
| 11 | ;;; your option) any later version. |
| 12 | ;;; |
| 13 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
| 14 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
| 15 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 16 | ;;; GNU General Public License for more details. |
| 17 | ;;; |
| 18 | ;;; You should have received a copy of the GNU General Public License |
| 19 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
| 20 | |
| 21 | (define-module (gnu services authentication) |
| 22 | #:use-module (gnu services) |
| 23 | #:use-module (gnu services base) |
| 24 | #:use-module (gnu services configuration) |
| 25 | #:use-module (gnu services dbus) |
| 26 | #:use-module (gnu services shepherd) |
| 27 | #:use-module (gnu system pam) |
| 28 | #:use-module (gnu system shadow) |
| 29 | #:use-module (gnu packages admin) |
| 30 | #:use-module (gnu packages freedesktop) |
| 31 | #:use-module (gnu packages openldap) |
| 32 | #:use-module (guix gexp) |
| 33 | #:use-module (guix records) |
| 34 | #:use-module (guix packages) |
| 35 | #:use-module (guix modules) |
| 36 | #:use-module (ice-9 match) |
| 37 | #:use-module (srfi srfi-1) |
| 38 | #:use-module (srfi srfi-26) |
| 39 | #:export (fprintd-configuration |
| 40 | fprintd-configuration? |
| 41 | fprintd-service-type |
| 42 | |
| 43 | nslcd-configuration |
| 44 | nslcd-configuration? |
| 45 | nslcd-service-type)) |
| 46 | |
| 47 | (define-configuration fprintd-configuration |
| 48 | (fprintd (package fprintd) |
| 49 | "The fprintd package")) |
| 50 | |
| 51 | (define (fprintd-dbus-service config) |
| 52 | (list (fprintd-configuration-fprintd config))) |
| 53 | |
| 54 | (define fprintd-service-type |
| 55 | (service-type (name 'fprintd) |
| 56 | (extensions |
| 57 | (list (service-extension dbus-root-service-type |
| 58 | fprintd-dbus-service) |
| 59 | (service-extension polkit-service-type |
| 60 | fprintd-dbus-service))) |
| 61 | (default-value (fprintd-configuration)) |
| 62 | (description |
| 63 | "Run fprintd, a fingerprint management daemon."))) |
| 64 | |
| 65 | \f |
| 66 | ;;; |
| 67 | ;;; NSS Pam LDAP service (nslcd) |
| 68 | ;;; |
| 69 | |
| 70 | (define (uglify-field-name name) |
| 71 | (match name |
| 72 | ('filters "filter") |
| 73 | ('maps "map") |
| 74 | (_ (string-map (match-lambda |
| 75 | (#\- #\_) |
| 76 | (chr chr)) |
| 77 | (symbol->string name))))) |
| 78 | |
| 79 | (define (value->string val) |
| 80 | (cond |
| 81 | ((boolean? val) |
| 82 | (if val "on" "off")) |
| 83 | ((number? val) |
| 84 | (number->string val)) |
| 85 | ((symbol? val) |
| 86 | (string-map (match-lambda |
| 87 | (#\- #\_) |
| 88 | (chr chr)) |
| 89 | (symbol->string val))) |
| 90 | (else val))) |
| 91 | |
| 92 | (define (serialize-field field-name val) |
| 93 | (if (eq? field-name 'pam-services) |
| 94 | #t |
| 95 | (format #t "~a ~a\n" |
| 96 | (uglify-field-name field-name) |
| 97 | (value->string val)))) |
| 98 | |
| 99 | (define serialize-string serialize-field) |
| 100 | (define serialize-boolean serialize-field) |
| 101 | (define serialize-number serialize-field) |
| 102 | (define (serialize-list field-name val) |
| 103 | (map (cut serialize-field field-name <>) val)) |
| 104 | (define-maybe string) |
| 105 | (define-maybe boolean) |
| 106 | (define-maybe number) |
| 107 | |
| 108 | (define (ssl-option? val) |
| 109 | (or (boolean? val) |
| 110 | (eq? val 'start-tls))) |
| 111 | (define serialize-ssl-option serialize-field) |
| 112 | (define-maybe ssl-option) |
| 113 | |
| 114 | (define (tls-reqcert-option? val) |
| 115 | (member val '(never allow try demand hard))) |
| 116 | (define serialize-tls-reqcert-option serialize-field) |
| 117 | (define-maybe tls-reqcert-option) |
| 118 | |
| 119 | (define (deref-option? val) |
| 120 | (member val '(never searching finding always))) |
| 121 | (define serialize-deref-option serialize-field) |
| 122 | (define-maybe deref-option) |
| 123 | |
| 124 | (define (comma-separated-list-of-strings? val) |
| 125 | (and (list? val) |
| 126 | (every string? val))) |
| 127 | (define (ignore-users-option? val) |
| 128 | (or (comma-separated-list-of-strings? val) |
| 129 | (eq? 'all-local val))) |
| 130 | (define (serialize-ignore-users-option field-name val) |
| 131 | (serialize-field field-name (if (eq? 'all-local val) |
| 132 | val |
| 133 | (string-join val ",")))) |
| 134 | (define-maybe ignore-users-option) |
| 135 | |
| 136 | (define (log-option? val) |
| 137 | (let ((valid-scheme? (lambda (scheme) |
| 138 | (or (string? scheme) |
| 139 | (member scheme '(none syslog)))))) |
| 140 | (match val |
| 141 | ((scheme level) |
| 142 | (and (valid-scheme? scheme) |
| 143 | (member level '(crit error warning notice info debug)))) |
| 144 | ((scheme) |
| 145 | (valid-scheme? scheme))))) |
| 146 | (define (serialize-log-option field-name val) |
| 147 | (serialize-field field-name |
| 148 | (string-join (map (cut format #f "~a" <>) val)))) |
| 149 | |
| 150 | (define (valid-map? val) |
| 151 | "Is VAL a supported map name?" |
| 152 | (member val |
| 153 | '(alias aliases ether ethers group host hosts netgroup network networks |
| 154 | passwd protocol protocols rpc service services shadow))) |
| 155 | |
| 156 | (define (scope-option? val) |
| 157 | (let ((valid-scopes '(subtree onelevel base children))) |
| 158 | (match val |
| 159 | ((map-name scope) |
| 160 | (and (valid-map? map-name) |
| 161 | (member scope valid-scopes))) |
| 162 | ((scope) |
| 163 | (member scope valid-scopes))))) |
| 164 | (define (serialize-scope-option field-name val) |
| 165 | (serialize-field field-name |
| 166 | (string-join (map (cut format #f "~a" <>) val)))) |
| 167 | |
| 168 | (define (map-entry? val) |
| 169 | (match val |
| 170 | (((? valid-map? map-name) |
| 171 | (? string? attribute) |
| 172 | (? string? new-attribute)) #t) |
| 173 | (_ #f))) |
| 174 | |
| 175 | (define (list-of-map-entries? val) |
| 176 | (and (list? val) |
| 177 | (every map-entry? val))) |
| 178 | |
| 179 | (define (filter-entry? val) |
| 180 | (match val |
| 181 | (((? valid-map? map-name) |
| 182 | (? string? filter-expression)) #t) |
| 183 | (_ #f))) |
| 184 | |
| 185 | (define (list-of-filter-entries? val) |
| 186 | (and (list? val) |
| 187 | (every filter-entry? val))) |
| 188 | |
| 189 | (define (serialize-filter-entry field-name val) |
| 190 | (serialize-field 'filter |
| 191 | (match val |
| 192 | (((? valid-map? map-name) |
| 193 | (? string? filter-expression)) |
| 194 | (string-append (symbol->string map-name) |
| 195 | " " filter-expression))))) |
| 196 | |
| 197 | (define (serialize-list-of-filter-entries field-name val) |
| 198 | (for-each (cut serialize-filter-entry field-name <>) val)) |
| 199 | |
| 200 | (define (serialize-map-entry field-name val) |
| 201 | (serialize-field 'map |
| 202 | (match val |
| 203 | (((? valid-map? map-name) |
| 204 | (? string? attribute) |
| 205 | (? string? new-attribute)) |
| 206 | (string-append (symbol->string map-name) |
| 207 | " " attribute |
| 208 | " " new-attribute))))) |
| 209 | |
| 210 | (define (serialize-list-of-map-entries field-name val) |
| 211 | (for-each (cut serialize-map-entry field-name <>) val)) |
| 212 | |
| 213 | \f |
| 214 | (define-configuration nslcd-configuration |
| 215 | (nss-pam-ldapd |
| 216 | (package nss-pam-ldapd) |
| 217 | "The NSS-PAM-LDAPD package to use.") |
| 218 | |
| 219 | ;; Runtime options |
| 220 | (threads |
| 221 | (maybe-number 'disabled) |
| 222 | "The number of threads to start that can handle requests and perform LDAP |
| 223 | queries. Each thread opens a separate connection to the LDAP server. The |
| 224 | default is to start 5 threads.") |
| 225 | (uid |
| 226 | (string "nslcd") |
| 227 | "This specifies the user id with which the daemon should be run.") |
| 228 | (gid |
| 229 | (string "nslcd") |
| 230 | "This specifies the group id with which the daemon should be run.") |
| 231 | (log |
| 232 | (log-option '("/var/log/nslcd" info)) |
| 233 | "This option controls the way logging is done via a list containing SCHEME |
| 234 | and LEVEL. The SCHEME argument may either be the symbols \"none\" or |
| 235 | \"syslog\", or an absolute file name. The LEVEL argument is optional and |
| 236 | specifies the log level. The log level may be one of the following symbols: |
| 237 | \"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All |
| 238 | messages with the specified log level or higher are logged.") |
| 239 | |
| 240 | ;; LDAP connection settings |
| 241 | (uri |
| 242 | (list '("ldap://localhost:389/")) |
| 243 | "The list of LDAP server URIs. Normally, only the first server will be |
| 244 | used with the following servers as fall-back.") |
| 245 | (ldap-version |
| 246 | (maybe-string 'disabled) |
| 247 | "The version of the LDAP protocol to use. The default is to use the |
| 248 | maximum version supported by the LDAP library.") |
| 249 | (binddn |
| 250 | (maybe-string 'disabled) |
| 251 | "Specifies the distinguished name with which to bind to the directory |
| 252 | server for lookups. The default is to bind anonymously.") |
| 253 | (bindpw |
| 254 | (maybe-string 'disabled) |
| 255 | "Specifies the credentials with which to bind. This option is only |
| 256 | applicable when used with binddn.") |
| 257 | (rootpwmoddn |
| 258 | (maybe-string 'disabled) |
| 259 | "Specifies the distinguished name to use when the root user tries to modify |
| 260 | a user's password using the PAM module.") |
| 261 | (rootpwmodpw |
| 262 | (maybe-string 'disabled) |
| 263 | "Specifies the credentials with which to bind if the root user tries to |
| 264 | change a user's password. This option is only applicable when used with |
| 265 | rootpwmoddn") |
| 266 | |
| 267 | ;; SASL authentication options |
| 268 | (sasl-mech |
| 269 | (maybe-string 'disabled) |
| 270 | "Specifies the SASL mechanism to be used when performing SASL |
| 271 | authentication.") |
| 272 | (sasl-realm |
| 273 | (maybe-string 'disabled) |
| 274 | "Specifies the SASL realm to be used when performing SASL authentication.") |
| 275 | (sasl-authcid |
| 276 | (maybe-string 'disabled) |
| 277 | "Specifies the authentication identity to be used when performing SASL |
| 278 | authentication.") |
| 279 | (sasl-authzid |
| 280 | (maybe-string 'disabled) |
| 281 | "Specifies the authorization identity to be used when performing SASL |
| 282 | authentication.") |
| 283 | (sasl-canonicalize? |
| 284 | (maybe-boolean 'disabled) |
| 285 | "Determines whether the LDAP server host name should be canonicalised. If |
| 286 | this is enabled the LDAP library will do a reverse host name lookup. By |
| 287 | default, it is left up to the LDAP library whether this check is performed or |
| 288 | not.") |
| 289 | |
| 290 | ;; Kerberos authentication options |
| 291 | (krb5-ccname |
| 292 | (maybe-string 'disabled) |
| 293 | "Set the name for the GSS-API Kerberos credentials cache.") |
| 294 | |
| 295 | ;; Search / mapping options |
| 296 | (base |
| 297 | (string "dc=example,dc=com") |
| 298 | "The directory search base.") |
| 299 | (scope |
| 300 | (scope-option '(subtree)) |
| 301 | "Specifies the search scope (subtree, onelevel, base or children). The |
| 302 | default scope is subtree; base scope is almost never useful for name service |
| 303 | lookups; children scope is not supported on all servers.") |
| 304 | (deref |
| 305 | (maybe-deref-option 'disabled) |
| 306 | "Specifies the policy for dereferencing aliases. The default policy is to |
| 307 | never dereference aliases.") |
| 308 | (referrals |
| 309 | (maybe-boolean 'disabled) |
| 310 | "Specifies whether automatic referral chasing should be enabled. The |
| 311 | default behaviour is to chase referrals.") |
| 312 | (maps |
| 313 | (list-of-map-entries '()) |
| 314 | "This option allows for custom attributes to be looked up instead of the |
| 315 | default RFC 2307 attributes. It is a list of maps, each consisting of the |
| 316 | name of a map, the RFC 2307 attribute to match and the query expression for |
| 317 | the attribute as it is available in the directory.") |
| 318 | (filters |
| 319 | (list-of-filter-entries '()) |
| 320 | "A list of filters consisting of the name of a map to which the filter |
| 321 | applies and an LDAP search filter expression.") |
| 322 | |
| 323 | ;; Timing / reconnect options |
| 324 | (bind-timelimit |
| 325 | (maybe-number 'disabled) |
| 326 | "Specifies the time limit in seconds to use when connecting to the |
| 327 | directory server. The default value is 10 seconds.") |
| 328 | (timelimit |
| 329 | (maybe-number 'disabled) |
| 330 | "Specifies the time limit (in seconds) to wait for a response from the LDAP |
| 331 | server. A value of zero, which is the default, is to wait indefinitely for |
| 332 | searches to be completed.") |
| 333 | (idle-timelimit |
| 334 | (maybe-number 'disabled) |
| 335 | "Specifies the period if inactivity (in seconds) after which the con‐ |
| 336 | nection to the LDAP server will be closed. The default is not to time out |
| 337 | connections.") |
| 338 | (reconnect-sleeptime |
| 339 | (maybe-number 'disabled) |
| 340 | "Specifies the number of seconds to sleep when connecting to all LDAP |
| 341 | servers fails. By default one second is waited between the first failure and |
| 342 | the first retry.") |
| 343 | (reconnect-retrytime |
| 344 | (maybe-number 'disabled) |
| 345 | "Specifies the time after which the LDAP server is considered to be |
| 346 | permanently unavailable. Once this time is reached retries will be done only |
| 347 | once per this time period. The default value is 10 seconds.") |
| 348 | |
| 349 | ;; TLS options |
| 350 | (ssl |
| 351 | (maybe-ssl-option 'disabled) |
| 352 | "Specifies whether to use SSL/TLS or not (the default is not to). If |
| 353 | 'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.") |
| 354 | (tls-reqcert |
| 355 | (maybe-tls-reqcert-option 'disabled) |
| 356 | "Specifies what checks to perform on a server-supplied certificate. |
| 357 | The meaning of the values is described in the ldap.conf(5) manual page.") |
| 358 | (tls-cacertdir |
| 359 | (maybe-string 'disabled) |
| 360 | "Specifies the directory containing X.509 certificates for peer authen‐ |
| 361 | tication. This parameter is ignored when using GnuTLS.") |
| 362 | (tls-cacertfile |
| 363 | (maybe-string 'disabled) |
| 364 | "Specifies the path to the X.509 certificate for peer authentication.") |
| 365 | (tls-randfile |
| 366 | (maybe-string 'disabled) |
| 367 | "Specifies the path to an entropy source. This parameter is ignored when |
| 368 | using GnuTLS.") |
| 369 | (tls-ciphers |
| 370 | (maybe-string 'disabled) |
| 371 | "Specifies the ciphers to use for TLS as a string.") |
| 372 | (tls-cert |
| 373 | (maybe-string 'disabled) |
| 374 | "Specifies the path to the file containing the local certificate for client |
| 375 | TLS authentication.") |
| 376 | (tls-key |
| 377 | (maybe-string 'disabled) |
| 378 | "Specifies the path to the file containing the private key for client TLS |
| 379 | authentication.") |
| 380 | |
| 381 | ;; Other options |
| 382 | (pagesize |
| 383 | (maybe-number 'disabled) |
| 384 | "Set this to a number greater than 0 to request paged results from the LDAP |
| 385 | server in accordance with RFC2696. The default (0) is to not request paged |
| 386 | results.") |
| 387 | (nss-initgroups-ignoreusers |
| 388 | (maybe-ignore-users-option 'disabled) |
| 389 | "This option prevents group membership lookups through LDAP for the |
| 390 | specified users. Alternatively, the value 'all-local may be used. With that |
| 391 | value nslcd builds a full list of non-LDAP users on startup.") |
| 392 | (nss-min-uid |
| 393 | (maybe-number 'disabled) |
| 394 | "This option ensures that LDAP users with a numeric user id lower than the |
| 395 | specified value are ignored.") |
| 396 | (nss-uid-offset |
| 397 | (maybe-number 'disabled) |
| 398 | "This option specifies an offset that is added to all LDAP numeric user |
| 399 | ids. This can be used to avoid user id collisions with local users.") |
| 400 | (nss-gid-offset |
| 401 | (maybe-number 'disabled) |
| 402 | "This option specifies an offset that is added to all LDAP numeric group |
| 403 | ids. This can be used to avoid user id collisions with local groups.") |
| 404 | (nss-nested-groups |
| 405 | (maybe-boolean 'disabled) |
| 406 | "If this option is set, the member attribute of a group may point to |
| 407 | another group. Members of nested groups are also returned in the higher level |
| 408 | group and parent groups are returned when finding groups for a specific user. |
| 409 | The default is not to perform extra searches for nested groups.") |
| 410 | (nss-getgrent-skipmembers |
| 411 | (maybe-boolean 'disabled) |
| 412 | "If this option is set, the group member list is not retrieved when looking |
| 413 | up groups. Lookups for finding which groups a user belongs to will remain |
| 414 | functional so the user will likely still get the correct groups assigned on |
| 415 | login.") |
| 416 | (nss-disable-enumeration |
| 417 | (maybe-boolean 'disabled) |
| 418 | "If this option is set, functions which cause all user/group entries to be |
| 419 | loaded from the directory will not succeed in doing so. This can dramatically |
| 420 | reduce LDAP server load in situations where there are a great number of users |
| 421 | and/or groups. This option is not recommended for most configurations.") |
| 422 | (validnames |
| 423 | (maybe-string 'disabled) |
| 424 | "This option can be used to specify how user and group names are verified |
| 425 | within the system. This pattern is used to check all user and group names |
| 426 | that are requested and returned from LDAP.") |
| 427 | (ignorecase |
| 428 | (maybe-boolean 'disabled) |
| 429 | "This specifies whether or not to perform searches using case-insensitive |
| 430 | matching. Enabling this could open up the system to authorization bypass |
| 431 | vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow |
| 432 | denial of service.") |
| 433 | (pam-authc-ppolicy |
| 434 | (maybe-boolean 'disabled) |
| 435 | "This option specifies whether password policy controls are requested and |
| 436 | handled from the LDAP server when performing user authentication.") |
| 437 | (pam-authc-search |
| 438 | (maybe-string 'disabled) |
| 439 | "By default nslcd performs an LDAP search with the user's credentials after |
| 440 | BIND (authentication) to ensure that the BIND operation was successful. The |
| 441 | default search is a simple check to see if the user's DN exists. A search |
| 442 | filter can be specified that will be used instead. It should return at least |
| 443 | one entry.") |
| 444 | (pam-authz-search |
| 445 | (maybe-string 'disabled) |
| 446 | "This option allows flexible fine tuning of the authorisation check that |
| 447 | should be performed. The search filter specified is executed and if any |
| 448 | entries match, access is granted, otherwise access is denied.") |
| 449 | (pam-password-prohibit-message |
| 450 | (maybe-string 'disabled) |
| 451 | "If this option is set password modification using pam_ldap will be denied |
| 452 | and the specified message will be presented to the user instead. The message |
| 453 | can be used to direct the user to an alternative means of changing their |
| 454 | password.") |
| 455 | |
| 456 | ;; Options for extension of pam-root-service-type. |
| 457 | (pam-services |
| 458 | (list '()) |
| 459 | "List of pam service names for which LDAP authentication should suffice.")) |
| 460 | |
| 461 | (define %nslcd-accounts |
| 462 | (list (user-group |
| 463 | (name "nslcd") |
| 464 | (system? #t)) |
| 465 | (user-account |
| 466 | (name "nslcd") |
| 467 | (group "nslcd") |
| 468 | (comment "NSLCD service account") |
| 469 | (home-directory "/var/empty") |
| 470 | (shell (file-append shadow "/sbin/nologin")) |
| 471 | (system? #t)))) |
| 472 | |
| 473 | (define (nslcd-config-file config) |
| 474 | "Return an NSLCD configuration file." |
| 475 | (plain-file "nslcd.conf" |
| 476 | (with-output-to-string |
| 477 | (lambda () |
| 478 | (serialize-configuration config nslcd-configuration-fields) |
| 479 | ;; The file must end with a newline character. |
| 480 | (format #t "\n"))))) |
| 481 | |
| 482 | ;; XXX: The file should only be readable by root if it contains a "bindpw" |
| 483 | ;; declaration. Unfortunately, this etc-service-type extension does not |
| 484 | ;; support setting file modes, so we do this in the activation service. |
| 485 | (define (nslcd-etc-service config) |
| 486 | `(("nslcd.conf" ,(nslcd-config-file config)))) |
| 487 | |
| 488 | (define (nslcd-shepherd-service config) |
| 489 | (list (shepherd-service |
| 490 | (documentation "Run the nslcd service for resolving names from LDAP.") |
| 491 | (provision '(nslcd)) |
| 492 | (requirement '(networking user-processes)) |
| 493 | (start #~(make-forkexec-constructor |
| 494 | (list (string-append #$(nslcd-configuration-nss-pam-ldapd config) |
| 495 | "/sbin/nslcd") |
| 496 | "--nofork") |
| 497 | #:pid-file "/var/run/nslcd/nslcd.pid" |
| 498 | #:environment-variables |
| 499 | (list (string-append "LD_LIBRARY_PATH=" |
| 500 | #$(nslcd-configuration-nss-pam-ldapd config) |
| 501 | "/lib")))) |
| 502 | (stop #~(make-kill-destructor))))) |
| 503 | |
| 504 | (define (pam-ldap-pam-service config) |
| 505 | "Return a PAM service for LDAP authentication." |
| 506 | (define pam-ldap-module |
| 507 | #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) |
| 508 | "/lib/security/pam_ldap.so")) |
| 509 | (lambda (pam) |
| 510 | (if (member (pam-service-name pam) |
| 511 | (nslcd-configuration-pam-services config)) |
| 512 | (let ((sufficient |
| 513 | (pam-entry |
| 514 | (control "sufficient") |
| 515 | (module pam-ldap-module)))) |
| 516 | (pam-service |
| 517 | (inherit pam) |
| 518 | (auth (cons sufficient (pam-service-auth pam))) |
| 519 | (session (cons sufficient (pam-service-session pam))) |
| 520 | (account (cons sufficient (pam-service-account pam))))) |
| 521 | pam))) |
| 522 | |
| 523 | (define (pam-ldap-pam-services config) |
| 524 | (list (pam-ldap-pam-service config))) |
| 525 | |
| 526 | (define %nslcd-activation |
| 527 | (with-imported-modules (source-module-closure '((gnu build activation))) |
| 528 | #~(begin |
| 529 | (use-modules (gnu build activation)) |
| 530 | (let ((rundir "/var/run/nslcd") |
| 531 | (user (getpwnam "nslcd"))) |
| 532 | (mkdir-p/perms rundir user #o755) |
| 533 | (when (file-exists? "/etc/nslcd.conf") |
| 534 | (chmod "/etc/nslcd.conf" #o400)))))) |
| 535 | |
| 536 | (define nslcd-service-type |
| 537 | (service-type |
| 538 | (name 'nslcd) |
| 539 | (description "Run the NSLCD service for looking up names from LDAP.") |
| 540 | (extensions |
| 541 | (list (service-extension account-service-type |
| 542 | (const %nslcd-accounts)) |
| 543 | (service-extension etc-service-type |
| 544 | nslcd-etc-service) |
| 545 | (service-extension activation-service-type |
| 546 | (const %nslcd-activation)) |
| 547 | (service-extension pam-root-service-type |
| 548 | pam-ldap-pam-services) |
| 549 | (service-extension nscd-service-type |
| 550 | (const (list nss-pam-ldapd))) |
| 551 | (service-extension shepherd-root-service-type |
| 552 | nslcd-shepherd-service))) |
| 553 | (default-value (nslcd-configuration)))) |
| 554 | |
| 555 | (define (generate-nslcd-documentation) |
| 556 | (generate-documentation |
| 557 | `((nslcd-configuration ,nslcd-configuration-fields)) |
| 558 | 'nslcd-configuration)) |